apparmor support in latest kernel

I was just curious if anyone know whether or not apparmor is fully featured now in the arch kernel or does it still require patching? The wiki mentions it but the information seems somewhat outdated. thanks!

Re: apparmor support in latest kernel

Ah ok. I figured it was probably fully supported by now; I just wasn't sure because the wiki mentions needing to patch it to get full functionality.

"However, integration of AppArmor into the 2.6.36 kernel is not quite complete. It is missing network mediation and some of the interfaces for introspection. See here for details. There are compatibility patches that can be applied to every recent kernel to reintroduce these interfaces. The patchset is pretty small and should be applied if you decide to use AppArmor. (Note: the patchset for 2.6.39 works with Kernel 3.0.x)"

But it seems the information might be a little outdated. I just wanted to make sure I wasn't missing out on anything. =P

Re: apparmor support in latest kernel

The last time I tried this you still had to compile and install a custom kernel from AUR for apparmor profiles to work. That was with 3.4.x series kernels. If you search for "apparmor" in the AUR you will find it.

Re: apparmor support in latest kernel

I use Apparmor just fine with the stock kernel. You can still enable/disable profiles. The biggest annoyance I found was that genprof would not work without the apparmor patches compiled in, but for basic support you don't need the custom kernel.

Re: apparmor support in latest kernel

I'll give the patches a try with the latest kernel I suppose and see how they hold up. I also thought about using grsecurity for MAC, but it looks like it might be a little bit daunting for a desktop setup.

Re: apparmor support in latest kernel

You do not need patching for basic functionality. If you need mount or/and network mediation, you need to apply one or two patches. To make use of aa-status (and the upstream rc script), you'll also need the profile introspection patch.

When I asked in irc about the status of merging the patches in mainline, I was told that the interface is going to change and these patches will never be merged and eventually dropped. I think that we can expect new stuff before April 2013, when the next Ubuntu version is released. The kernel patches will probably end up in 3.8 or 3.9.

Re: apparmor support in latest kernel

ph0tios wrote:

I'll give the patches a try with the latest kernel I suppose and see how they hold up. I also thought about using grsecurity for MAC, but it looks like it might be a little bit daunting for a desktop setup.

Meh, not so much. RBAC has a learning mode like AppArmor.

All the other security measures grsecurity and PaX can provide are critical too. Arch Linux is vanilla, so it is up to the User to secure their systems. Linux all by itself is very vulnerable to attack. The aur/linux-pax-flags package takes 99% of all the trouble out of using PaX. I just make sure to run it after every upgrade to make sure the pax flags are set correctly.